The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) announced its final rule (the Enforcement Rule) implementing the information blocking penalties created by the 21st Century Cures Act that prohibit health care providers from blocking or interfering with patient access to any electronic information in a "designated record set," as the term is defined under HIPAA.[i] Those at risk of facing these long-awaited, OIG-imposed penalties are limited to the following actors:
(1) health IT developers of certified health information technology ("health IT") (including entities that offer certified health IT),
(2) health information exchanges ("HIEs"), and
(3) health information networks ("HINs").
Penalty enforcement will begin on Sept. 1, 2023, for information blocking conduct that occurs on or after that date.
The Enforcement Rule confirms information blocking enforcement remains a top governmental priority and is the latest of the government's many efforts to promote interoperability and information sharing across the health care industry. It took a long time for the OIG to publish the Enforcement Rule following its proposed rule published back in April 2020. It remains to be seen whether that delay will lead to an aggressive launch of enforcement efforts, in coordination with other federal agencies.
Previously, in May of 2020, the HHS Office of the National Coordinator for Health Information Technology (ONC) finalized the regulations defining the prohibited conduct that is considered "information blocking" (the Information Blocking Rule):[ii]
Information blocking is a practice that, except as required by law or covered by an information blocking exception, is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information ("EHI"), and:
- if conducted by a developer of certified health IT, HIE, or HIN, such actor knows, or should know, that such practice is likely to interfere with access, exchange, or use of EHI; or
- if conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of EHI.
The Information Blocking Rule also defined what information is within the scope of EHI and provided detailed information about eight information blocking "exceptions" that protect certain "reasonable and necessary activities" in which actors may engage.
Although the Information Blocking Rule applies to health care providers, providers are largely spared from liability under the Enforcement Rule. HHS is working to establish separate, "appropriate disincentives" for penalizing health care providers that engage in information blocking.
The OIG's Enforcement Rule does not impose new requirements. Rather, the OIG incorporated the Information Blocking Rule as the basis for its investigation and enforcement processes. The Enforcement Rule provides some crucial insights related to the OIG's investigation process and enforcement priorities, along with clarifications on the OIG's planned coordination with the ONC, Centers for Medicare & Medicaid Services (CMS), HHS Office for Civil Rights (OCR), Department of Justice (DOJ), and the Federal Trade Commission (FTC).
Here are our top five takeaways from the new Enforcement Rule:
- Whether the Enforcement Rule Applies
The OIG confirmed that the definitions for health IT developers of certified health IT or HIEs/HINs under 45 CFR 171.102 are functional definitions that do not include or exclude any particular individuals or entities (e.g., health care providers, health plans, clinical data registries, etc.). Thus, whether an entity or individual may be subject to penalties under the Enforcement Rule is a fact-specific assessment.
For example, health care providers generally are not subject to the Enforcement Rule. However, if a health care provider engages in an activity, such as offering certified health IT, then it would be considered a "health IT developer of certified health IT" when engaged in that role, and its actions as such would be within the purview of the Enforcement Rule. Likewise, if an insurer controls access to a platform or service that enables unaffiliated entities to exchange EHI with each other for payment or other health care operation purposes, then that insurer could fall within the definition of an HIE/HIN when engaged in that role. In making the determination, the OIG anticipates engaging with the entity or individual to better understand its functions and to offer it an opportunity to explain why the Enforcement Rule does not apply.
- What Is a Violation
A "violation" is defined as a practice[iii] that constitutes information blocking.[iv] Whether a practice constitutes a violation will depend on the specific facts and circumstances, and at this stage the OIG did not specify criteria it would use to identify single or multiple violations. Instead, the OIG offered a few hypothetical examples, which we have simplified below, to illustrate how it would make its determinations.
Single Violation Likely OIG Assessment Dr. Clover, using technology from ORANGE, makes a single request to receive EHI for 10 patients through the certified API technology of BLUE, a health IT developer of certified health IT. BLUE takes a single action to prevent Dr. Clover from receiving any patient information. Single violation affecting multiple patients. BLUE took a single action to deny all EHI requests from Dr. Clover. The number of patients affected by the violation would be relevant to determining the monetary amount of the penalty. Dr. Lilac, using technology from ORANGE, makes multiple requests to receive patients' EHI via certified API technology of BLUE, a health IT developer of certified health IT. BLUE has updated its system to deny all requests from anyone using ORANGE's technology. None of Dr. Lilac's requests via ORANGE's technology result in receipt of EHI, and all other EHI requests via ORANGE's technology also are denied due to BLUE's system configuration. Single violation. The violation is BLUE's singular action to update its system to always deny EHI requested via ORANGE's technology. Depending on the volume of EHI requests via ORANGE's technology, the number of patients affected may be an aggravating circumstance resulting in an increased penalty. Multiple Violations Likely OIG Assessment Dr. Rose makes multiple, separate requests to receive EHI for several patients via certified API technology of BLUE, a health IT developer of certified health IT. BLUE denies each individual request but does not set up its system to automatically deny all of Dr. Rose's requests. Thus, BLUE is taking separate actions to block individual requests from Dr. Rose. Multiple violations affecting multiple patient records. Each of BLUE's denials would be considered a separate act and, thus, a separate violation. The number of patients affected by each violation would be relevant to determining the penalty amount per violation. BLUE, a health IT developer of certified health IT, enters into a software license agreement with Dr. Aster that requires Dr. Aster to pay a fee for the express purpose of permitting Dr. Aster to export patients' EHI into another health IT system. When Dr. Aster requests the electronic export, BLUE charges Dr. Aster the fee. NOTE: the Fees Exception (45 CFR 171.302) specifically does not shield fees charged for this type of export. Two violations. The first violation would be BLUE's inclusion of the fee provision in its contract that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. The second violation would be BLUE charging Dr. Aster the fee.
OIG's determination methodology will be key because the OIG's penalties are levied on a per-violation basis. The OIG clarified that actions taken by an actor in response to a valid request for EHI will provide the basis for assessing whether a practice constitutes a single or multiple violations. Thus, if an actor sets up its system to automatically deny all valid EHI requests of a certain type, that could constitute a single violation. In comparison, an actor separately denying valid EHI requests on an individualized basis could be liable for multiple violations. Since the number of patients affected is a factor in determining the penalty amount, actors will need to be mindful of both: (a) system configurations or policies that lead to denials of EHI affecting a large number of requests; and (b) situations resulting in a high volume of individualized denials of EHI requests (e.g., non-automized enforcement of a policy relating to EHI requests).
The OIG has six years from the date an actor commits an information blocking practice to bring an enforcement action. If an actor is engaging in certain data practices it believes are covered by one of the exceptions to the Information Blocking Rule, then the actor should maintain relevant, supporting documents for at least six years beyond the last action, in the event it needs to demonstrate to the OIG it meets a specific exception. Any documentation provided during an investigation will be considered by the OIG, and actors can anticipate having an opportunity to provide input during the investigation process.
OIG's Penalty Enforcement Approach and Coordination With Other Agencies
The OIG's primary lever for enforcement will be the issuance of financial sanctions. The OIG also anticipates creating an information blocking self-disclosure protocol (SDP), including an online submission form, and other processes. As with other SDPs, an individual or entity contemplating self-disclosure of a potential violation should consider discussing with legal counsel the benefits and risks prior to taking any action with respect to an SPD. Alternative enforcement approaches, such as providing education or corrective action plans, are not anticipated.
The OIG also repeatedly emphasized throughout the Enforcement Rule that it will coordinate with other federal agencies regarding investigative and enforcement efforts concerning information blocking, as permitted by the Cures Act. The other agencies OIG plans to work with include:
- ONC: Both OIG and ONC will have their own processes for the public to submit reports of claimed information blocking practices,[v] and OIG expects nearly all information blocking investigations will be coordinated with ONC. ONC is empowered to suspend or ban health IT developers from the ONC Health IT Certification Program.
- OCR: OIG may refer to OCR complaints of information blocking practices that may violate HIPAA. HIPAA provides individuals access to EHI, and any interference with such access could implicate violations of both the Enforcement Rule and HIPAA. [vi]
- CMS: OIG indicated that it may refer to CMS allegations regarding non-compliance with CMS program requirements (e.g., CMS's Promoting Interoperability Program, Merit-Based Incentive Payment System (MIPS), etc.). CMS can take enforcement action against those participating in Medicare, Medicaid, and other federal health programs.[vii]
- DOJ: OIG forewarned that an actor's practices could create both information blocking and false claims liability. OIG illustrated this point with the example of a developer of certified health IT falsifying its attestations by engaging in information blocking and thereby causing health care providers to file false attestations under MIPS.[viii]
- FTC: OIG may share with the FTC information from complaints involving allegations of unfair trade practices and anticompetitive conduct. The FTC is empowered to levy civil penalties for conduct that violates the FTC Act.[ix]
- Factors used to determine penalty amounts
In addition to its typical penalty rubric, OIG has added three new factors it will consider when determining a CMP amount for an information blocking violation:
- the nature of claims and the circumstances under which they were presented
- the degree of culpability
- history of prior offenses
- financial condition of the person presenting the claims
- other matters as justice may require
- the number of patients affected
- the number of providers affected
- the number of days the information blocking persisted.
OIG clarified that in the event certain factors overlap, it would not "double count" the factors when determining a penalty. Additional considerations specific to alleged information blocking claims include whether the actor had actual knowledge or specific intent to engage in information blocking, the number of violations, whether violation(s) actually interfered with access, exchange, or use of EHI, and any remedial steps taken by the actor to "unblock" EHI.
- OIG's enforcement priorities
Although OIG states that the following priority areas are intended to inform its decisions on which information blocking allegations to pursue, it warned that the priorities are not dispositive and that it will work with ONC and other agencies to review each allegation's unique facts and circumstances to evaluate and prioritize which claims it deems to merit investigation.
|Patient Harm: Conduct that resulted in, is causing, or had the potential to cause patient harm||Patient harm may encompass individual harm or harm more broadly caused to a patient population, community, or the public|
|Patient Care: Conduct that significantly impacted a provider's ability to care for patients||Practices that create hurdles to EHI exchange among providers (e.g., anti-competitive conduct such as a contract containing unconscionable terms related to sharing of patient data, thereby affecting patient care)|
|Volume and Duration: Conduct that was of long duration||Volume and duration of practices relating to the same (or similar) conduct by the same actor|
|Loss to Federal Programs: Conduct that caused financial loss to Federal health care programs or other government or private entities||The financial thresholds for enforcement of fraud and similar conduct related to the Federal health care programs also will hold for enforcement related to damages sustained by HHS for information blocking|
|Actual Knowledge: Conduct that was performed with actual knowledge||The definition of information blocking includes an element of intent. For health IT developers of certified health IT and HIEs/HINs, actual knowledge is not required and they may be held liable for a practice if they should have known it constituted information blocking. Those acting with actual knowledge are generally more egregious violators and likely will be prioritized for investigation|
Next Steps to Prepare for the Enforcement Rule
To prepare for upcoming enforcement, entities that are subject to the information blocking rule may want to consider the following steps:
- Assess whether the entity at times may be engaging in practices that are within the purview of the functional definitions of a health IT developer of certified health IT or an HIE/HIN, which may make it subject to the Enforcement Rule. For example, review whether it offers certified health IT to others, or whether it controls access to a platform or service that enables exchange among others for treatment, payment or other health care operation purposes.
- Prior to Sept. 1, 2023, review data sharing practices to determine if a practice constitutes information blocking and take any necessary steps to modify those that pose the greatest enforcement risks.
- For those practices believed to fit within an information blocking exception, plan to retain related documentation for a timeframe beyond six (6) years. (In comparison, the Information Blocking Rule established a 10-year records and information retention requirement for health IT developers of certified health IT as part of the ONC Health IT Certification Program).
- After Sept. 1, 2023, if a practice is determined to constitute information blocking, consider steps to remediate the practice and consider whether to leverage OIG's self-disclosure protocol.
More information on the Information Blocking Rule is available here. We also offer an Information Blocking Toolkit to help actors assess their data sharing practices involving EHI and review those that pose the most significant information blocking risk. Please contact Michaela Andrawis for more details.
[i] 88 Fed. Reg. 42820 (July 3, 2023).
[ii] 85 Fed. Reg. 25642 (May 1, 2020).
[iii] A "practice" means an act or omission by an actor. 45 C.F.R. § 171.102.
[iv] Under 45 C.F.R. § 171.103, Information blocking means a practice that -
(1) Except as required by law or covered by an exception set forth in subpart B or subpart C of this part, is likely to interfere with access, exchange, or use of electronic health information; and
(2) If conducted by a health IT developer of certified health IT, health information network or health information exchange, such developer, network or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information; or
(3) If conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.
[vi] 88 Fed. Reg. 42820, 42822 (July 3, 2023)